Three years ago, a team of hackers associated with the Russian state disabled power plants in the Ukraine that led to the loss of electricity for 230,000 residents. Similar to the recently reported attacks against the US power grid, this campaign included the use of malicious emails to steal credentials of Ukraine power plant employees and remotely log into plant control systems. The hackers brought down Ukraine’s main power grid for many hours while some areas remained without power for over two months.
While it’s unknown whether this led to loss of life, power outages of this magnitude certainly have an impact that is difficult to measure in traditional cybersecurity terms and includes disruption to human health through spoilage of refrigerated medicine, food contamination, slowdowns in emergency response, and failure of medical life support systems.
In the United States, the power system consists of hundreds of small independent operators and dozens of large operators who maintain a degree of cooperation and competition between all providers. Because profit margins are tight in this highly regulated, many smaller operators cannot afford to invest in cybersecurity. The result are many weak links in the chain of power operators that could cause a cascading impact across the entire grid.
No one knows what other serious security problems are lurking just out of plain site in the energy industry. A prominent security research company recently found a flaw in two software packages created by Schneider Electric for controlling energy generation facilities. The vulnerability could have allowed a hacker to force a stack buffer overflow to breach industrial monitoring systems and control applications.
As examined by renowned security expert and author Chris Moschovitis in his new book Cybersecurity Program Development for Business, the corporate world has yet to properly prioritize cybersecurity. Few CEOs and company executives would frame cybersecurity in the terms of an existential threat. In the conventional corporate view, cybersecurity is an IT function for protecting computers and internal networks. This viewpoint ignores recent findings of large criminal and state-sponsored cyber attacks at scale. It seems only a matter of time until the damage from cyber attacks will be equated with those of conventional military forces and terrorists. Today, the difference is that our society invests only a fraction of its resources in addressing these new unconventional digital threats.
Moschovitis particularly cautions middle market boards and executives from consciously, or unconsciously, abdicating their risk management responsibilities. Only the board or shareholders can set the risk appetite of a firm. Acceptance of enterprise risk cannot be owned by a manager or much less the IT department. Proper cybersecurity governance is key. Risk management, of which cybersecurity is a major component, needs to be reporting on a separate line from value creation which is the function of IT. Depending on the size and structure of the company, Chris Moschovitis advises that the Chief Information Security Officer (CISO) report directly to the CEO or board. Cybersecurity is a mission-critical enterprise function, and its success hinges in its proper governance and position in the enterprise.
Things get more complex because of the porous boundary between corporate and personal use of technology. In fact, some of the same corporate cybersecurity threats reside within our own homes. For example, seven years ago, a team of researchers demonstrated how to create a fire from a hacked laser printer (https://www.wired.com/2011/11/hp-printer-hack/) and since then connected devices have only proliferated. The same device that sits at the office, is the same device that sits in the home office. Additionally, several of the largest manufacturers of home security cameras have been shown to omit even the most basic security protections.
Meanwhile, home appliance makers are seeking new ways to connect with customers through connected washers, dryers, refrigerators, and toasters. While it may seem convenient for your refrigerator to send a reminder when the milk is low, it’s worth taking a moment to think about how your refrigerator is connected to the Internet. Few refrigerators have firewalls, regularly receive software updates, and are designed by a team of software engineers which experience in preventing hacks. With today’s technology, connected capabilities may bring unforeseen risks and entry points for hackers into the home.
Transportation infrastructure is another cause for concern. A recent hack at the Colorado Department of Transportation resulted in huge disruption and many millions of dollars in remediation costs. Connected cars are increasingly vulnerable. General Motors had a flaw in millions of OnStar equipped vehicles which took years to fix while hackers have demonstrated their ability to take command of a Jeep driving down the road.
When looking at these vulnerabilities across so many of society’s technology systems, one might think that consumers, enterprises, and government would be ringing the alarm bell. The lack of such action is a function of a lack of ownership of the problem. Consumer complaints are spread thinly across many different products and software systems while consumers rarely register threats of lost privacy and financial fraud. Corporate management has not historically been held financially liable for security failures
The solution to this latent societal crisis is perhaps already modeled in more heavily regulated industries. Take the financial industry, for example. In the past decade, financial services have gotten serious about cybersecurity to great effect. The driver for this change has largely been government regulations at the federal and state levels.
As with seat belts in the 1970s where the automotive industry once argued in favor of personal freedoms and costs, industries find ways to adapt absorb costs in exchange for significant perceived benefits to individuals and society. Today, nearly no one goes into a car without fastening a seatbelt. Tomorrow, perhaps no software devices will be shipped without a security compliance check. One could imagine that IoT devices such as security cameras, currently mostly imported with no controls and loaded down with known vulnerabilities, would become a regulated industry with a superb safety record.
This spring of 2018, we are perhaps witnessing the first chapter of a widespread regulatory climate. All companies that collect data on citizens in European Union (EU) countries are required to comply with a strict new set of rules for customer data protection. The General Data Protection Regulation (GDPR) sets a broad and strong standard for consumer privacy rights. Companies collecting such data as IP addresses and browser cookies will need to secure those as they do for name, address and Social Security number.
As cybersecurity breaches become more prevalent over time, we can only hope that national governments and institutions will step up and fulfill their role as guardians of their citizens. The only way to do this is through strong regulation and international cooperation, both of which begin with a solid understanding of the subject. If, as the recent senate Facebook hearings suggest, lawmakers lack essential digital and cybersecurity literacy, then we’re left at the mercy of hackers, irrespective of their ideological or profit-driven motives.
To explore this topic in greater depth, security expert and author Chris Moschovitis has published a new book Cybersecurity Program Development for Business.